Mitigating attacks on emergency telephone services

ABSTRACT

The disclosed system provides a Real-time Telephony (or Call) Monitor, Analyzer and Decision SIP Server (RTMADS) for mitigating attacks on emergency telephone systems. The RTMADS works in conjunction with an ingress node to fork incoming calls to an IMS network and the RTMADS. Within the RTMADS, forked telephone calls undergo data collection and mining, and parametric analysis. A decision matrix in the RTMADS uses the results of the data collection, mining, and parametric analysis, and other information, to make a decision with respect to incoming calls. For example, the RTMADS may decide to perform call setup on an incoming call using a dedicated or backup Public Safety Answering Point (PSAP), alert an Operations and Management (OAM) team regarding the incoming call, or accept and then terminate the incoming call.

CROSS-REFERENCE TO RELATED APPLICATION

This application is a continuation of U.S. patent application Ser. No.15/712,096, filed Sep. 21, 2017, entitled “MITIGATING ATTACKS ONEMERGENCY TELEPHONE SERVICES”; which is incorporated by reference in itsentirety.

BACKGROUND

Emergency telephone services, such as 911 calls to a Public SafetyAnswering Point (PSAP), are an important public safety mechanism forconnecting distressed callers to emergency services that are needed inoften dire circumstances. Such 911 calls or distress calls (hereinreferred to collectively as “emergency calls”) often rely on Voice overInternet Protocol (VoIP) telephony nodes to facilitate a connectionbetween a distressed caller and one or more PSAPs. Unfortunately, VoIPtelephony nodes are constantly under threat because of theiraccessibility via the Internet. For example, malicious attackers maytarget the VoIP nodes with malformed Session Initiation Protocol (SIP)messages, exploit security holes, and/or flood the VoIP network withfake or spoofed calls. These types of Telephony Denial of Services(TDoS) and Distributed Denial of Services (DDoS) attacks on criticalapplication servers can have severe repercussions on the availability ofemergency services to a distressed caller. This is particularly truewhen PSAPs are flooded and over loaded with emergency calls withoutenough emergency responders available to answer the calls.

The resulting inability to reach emergency services creates potentiallylife-threatening situations for distressed callers in need ofassistance. A need therefore exists to mitigate malicious attacks onemergency services over IP networks, including VoIP networks, which aregenerally architected as an Internet Protocol Multimedia Subsystem (IMS)network (or a variant thereof) involving multiple nodes that providespecific functionalities. A typical IMS network comprises multiple nodesthat offer functionalities based on developed standards and protocols asdisclosed and incorporated by reference below. Accordingly, a solutionto mitigate telephony attacks is needed that does not interfere withexisting standards but rather uses available protocols to interoperatewith various IMS nodes. Therefore, a need further exists to mitigatetelephony attacks using a commonly used VoIP protocol, such as SIP.

BRIEF DESCRIPTION OF THE DRAWINGS

FIG. 1 is a diagram of a representative environment in which thedisclosed system to mitigate attacks on emergency telephone services mayoperate.

FIG. 2 is a block diagram of the disclosed system to mitigate attacks onemergency telephone services in accordance with embodiments herein.

FIG. 3 represents a flow chart 300 for making a call handling decisionin a Real-time Telephony (or Call) Monitor, Analyzer and Decision SIPServer (RTMADS) in accordance with embodiments herein.

FIG. 4 is a sample call flow diagram for arriving at a first decisioncall flow (Decision Call Flow 1) in accordance embodiments herein.

FIG. 5 is a sample call flow diagram for arriving at a second decisioncall flow (Decision Call Flow 2) in accordance embodiments herein.

FIG. 6 is a sample call flow diagram for arriving at a third decisioncall flow (Decision Call Flow 3) in accordance embodiments herein.

FIG. 7 is a sample call flow diagram for arriving at a fourth decisioncall flow (Decision Call Flow 4) in accordance embodiments herein.

DETAILED DESCRIPTION

The disclosed system provides a Real-time Telephony (or Call) Monitor,Analyzer and Decision SIP Server (RTMADS) for mitigating attacks onemergency telephone systems. The RTMADS works in conjunction with aningress node, such as a Session Border Controller (SBC) that functionsas a VoIP node, to fork incoming calls to an IMS network and the RTMADS.Within the RTMADS, forked telephone calls undergo data collection andmining, and parametric analysis. A decision matrix in the RTMADS usesthe results of the data collection, mining, and parametric analysis,along with analysis criteria and decision criteria, to make a decisionwith respect to incoming calls. For example, the RTMADS may decide toperform call setup on an incoming call using a dedicated Public SafetyAnswering Point (PSAP), alert an Operations and Management (OAM) teamregarding the incoming call, perform call setup on the incoming callusing a backup PSAP, or accept and then terminate the incoming call.Each of these scenarios is discussed in more detail herein.

The disclosed system is adapted to operate in various types oftelecommunications and data networks, including second-generationwireless telephone technology (2G) networks, third-generation wirelesstelephone technology (3G) networks, fourth-generation wireless telephonetechnology (4G) networks, long-term evolution (LTE) networks, LocalAccess Networks (LAN), Wireless LANs (WLAN), Global System for MobileCommunications (GSM) networks, Bluetooth, WiFi, Fixed Wireless Datanetworks.

The disclosed system is compatible with a variety of networks but issuited in particular for IMS networks. The disclosed system is adaptedto comply fully with Session Initiation Protocol (SIP) and 3GPPstandards, including 3GPP TS 23.218 (IP Multimedia session handling; IMcall model; Stage 2), RFC 7976 ((2016): Updates to Private Header(P-Header) Extension Usage in Session Initiation Protocol (SIP) Requestsand Responses), RFC 4975 (Message Session Relay Protocol), and RFC forSIP standards including for example RFC 3261 (SIP: Session InitiationProtocol), all of which are hereby incorporated by reference herein intheir entirety.

Various embodiments of the invention will now be described. Thefollowing description provides specific details for a thoroughunderstanding and an enabling description of these embodiments. Oneskilled in the art will understand, however, that the invention may bepracticed without many of these details. Additionally, some well-knownstructures or functions may not be shown or described in detail, so asto avoid unnecessarily obscuring the relevant description of the variousembodiments. The terminology used in the description presented below isintended to be interpreted in its broadest reasonable manner, eventhough it is being used in conjunction with a detailed description ofcertain specific embodiments of the invention.

FIG. 1 is a diagram of a representative environment in which thedisclosed system may operate. In the environment 100, mobile device 105attempts to place a legitimate emergency call (Call 1) to a PSAP vianetwork 115. Attack server 110 attempts to place three maliciousemergency calls (Call 2, Call 3, and Call 4) via network 115 for thepurpose of attacking emergency call services. Ingress node 115 receivescalls 1-4 and forks each call to IMS 120 and RTMADS 125. As described inmore detail herein, RTMADS 125 detects malicious calls (e.g., Call 2,Call 3, and Call 4) and terminates the malicious calls without deliveryto a PSAP. Likewise, RTMADS 120 detects legitimate emergency calls(e.g., Call 1) and allows the legitimate emergency calls to be deliveredto a PSAP, such as police agency 130. Such legitimate emergency callsmay be delivered to the PSAP by an existing IMS network, such as IMS120.

Attack server 110 may be a single malicious caller, a group of maliciouscallers, or an automated dialer (such as a robo-dialer) that isconfigured to generate malicious telephone calls. Network 115 may be anytelecommunications network capable of facilitating the transfer ofmessages between a call originator (e.g., a distressed caller, amalicious caller, or an attack server) and a PSAP, including for examplean Internet Protocol Multimedia Subsystem (IMS) network. Mobile devices105 and attack server 110 may include virtually any devices forcommunicating over a wireless network. Such devices include applicationservers or mobile telephones, such as Global System for MobileCommunications (“GSM”) telephones, Time Division Multiple Access(“TDMA”) telephones, Universal Mobile Telecommunications System (“UMTS”)telephones, Evolution-Data Optimized (“EVDO”) telephones, Long TermEvolution (“LTE”) telephones, Generic Access Network (“GAN”) telephones,Unlicensed Mobile Access (“UMA”) telephones, and other mobile computersor devices, such as Voice over Internet Protocol (“VoIP”) devices,Secure User Plane Location (“SUPL”) Enabled Terminals (SETs), PersonalDigital Assistants (“PDAs”), radio frequency devices, infrared devices,handheld computers, laptop computers, wearable computers, tabletcomputers, pagers, integrated devices combining one or more of thepreceding devices, and/or the like.

Mobile device 105 and attack server 110 typically include a processingunit, volatile memory and/or nonvolatile memory, a power supply, one ormore network interfaces, an audio interface, a display, a keypad orkeyboard and other input and/or output interfaces. The variouscomponents of a mobile device or attack server may be interconnected viaa bus. The volatile and nonvolatile memories generally include storagemedia for storing information such as processor-readable instructions,data structures, program modules, or other data. Some examples ofinformation that may be stored include basic input/output systems(BIOS), operating systems, and applications.

Mobile device 105 and attack server 110 may connect to atelecommunications network via a trusted radio access network (RAN) oran untrusted RAN (not shown). A single mobile device or attack servermay be capable of using one or both types of RANs. The RANs may use anywireless communications and data protocol or standard, such as GSM,TDMA, UMTS, EVDO, LTE, GAN, UMA, Code Division Multiple Access (“CDMA”)protocols (including IS-95, IS-2000, and IS-856 protocols), Advanced LTEor LTE+, Orthogonal Frequency Division Multiple Access (“OFDM”), GeneralPacket Radio Service (“GPRS”), Enhanced Data GSM Environment (“EDGE”),Advanced Mobile Phone System (“AMPS”), WiMAX protocols (including IEEE802.16e-2005 and IEEE 802.16m protocols), Wireless Fidelity (“WiFi”),High Speed Packet Access (“HSPA”), (including High Speed Downlink PacketAccess (“HSDPA”) and High Speed Uplink Packet Access (“HSUPA”)), UltraMobile Broadband (“UMB”), SUPL, and/or the like.

Each mobile device 105 and attack server 110 typically includes aprocessor for executing processing instructions, a data storage mediumcomponent (e.g., hard drive, flash memory, memory card, etc.), volatilememory and/or nonvolatile memory, a power supply, one or more networkinterfaces (e.g., Bluetooth Interface; and Network CommunicationInterface, which enables the mobile device or attack server tocommunicate by transmitting and receiving wireless signals usinglicensed, semi-licensed or unlicensed spectrum over a telecommunicationsnetwork), an audio interface, a display, a keypad or keyboard, amicrophone, and other input and/or output interfaces. The variouscomponents of the mobile device and attack server may be interconnectedvia a bus. The volatile and nonvolatile memories generally includestorage media for storing information such as processor-readableinstructions, data structures, program modules, or other data. Someexamples of information that may be stored include basic input/outputsystems (BIOS), operating systems, and applications. The storedinformation may include one or more SIP protocol clients capable ofgenerating, transmitting and interpreting syntactically correct SIPprotocol messages. SIP clients permit the mobile device to register withand communicate via the IMS network.

FIG. 2 is a block diagram of the disclosed system to mitigate attacks onemergency telephone services in accordance with embodiments herein.External network 205 may comprise any network, such as the Internet or aservice provider network, capable of routing a call (e.g., a VoIP call)to an IMS network. Ingress node 210 may be configured using standardizedSIP RFC compliant procedures to send relevant calls to the RTMADS. In anembodiment, ingress node 210 is a Session Border Controller (SBC) thatsends relevant calls to the RTMADS by forking SIP calls. Call data maybe collected via various types of configurations, including for exampleconfigurations involving men in the middle (MITM) type probes. Ingressnode 210 is typically an entry point to a service provider IMS VoIPnetwork and may be configured via a data collection configurationcomponent 215 to fork emergency SIP calls and other potentially harmfulor malicious calls that can overload the telephony system. Accordingly,when the IMS network is under attack by flooding of spoofed or roboemergency calls, ingress node 210 will fork the calls. Call forkingresults in an SIP INVITE being sent to the RTMADS server in addition tothe original intended PSAP recipient via the IMS network.

RTMADS 200 is part of the emergency call flow and monitors emergencycalls, collects data and uses algorithms to respond appropriately to theemergency calls if and when necessary. Upon receiving a forked call(i.e., upon receiving an SIP INVITE), RTMADS 200 starts a “Trts” timer,and executes a decision based on dynamic conditions and criteria asdescribed in more detail herein. RTMADS 200 is a multifunctional nodethat is deployed in a VoIP network. RTMADS 200 is integrated with theVOIP network call flows and uses machine learning (rather telephonylearning) to collect, store and mine relevant data. RTMADS 200 analyzesthis data to detect attacks, sends alerts, and uses a decision module todecide various actions to take in order to mitigate an attack. Based onthe type of attack, the decision module executes a decision function orinitiates a probe for gathering more specific data before taking action.RTMADS 200 is adapted to be a part of the SIP call flow for incomingcalls, and is capable of performing varied roles depending on the natureof an attack. In particular RTMADS may perform the role of a User AgentClient (UAC), User Agent Server (UAS), Back-to-Back User Agent (B2BUA),Proxy Server, and/or Redirect Server. RTMADS 200 comprises severalcomponents including data collector and miner 225, telephony parametricanalyzer 235, decision matric 245, and call probe 275, as described inmore detail herein.

Data Collector and Miner 225 receives forked calls from ingress node 210and distills received call flows, including requests and responses, intoa real-time stateful table 230 for each active call. Data Collector andMiner 225 creates real-time stateful table 230 with multiple parametersthat are part of the call flow, including without limitation SDP: RURI,FROM, TO, Via, Call-ID, Contacts, P-headers, SDP, Accept,Accept-Contact, Accept-Encoding, Accept-Language,Accept-Resource-Priority, Alert-Info, Allow, Allow-Events, Answer-Mode,Authentication-Info, Authorization, Call-ID, Call-Info,Cellular-Network-Info, Contact, Content-Disposition, Content-Encoding,Content-Language, Content-Length, Content-Type, CSeq, Date, Encryption,Error-Info, Event, Expires, Feature-Caps, Flow-Timer, From, Geolocation,Geolocation-Error, Geolocation-Routing, Hide, History-Info, Identity,Identity-Info, In-Reply-To, Join, Max-Breadth, Max-Forwards,MIME-Version, Min-Expires, Min-SE, Organization, P-Access-Network-Info,P-Answer-State, P-Asserted-Identity, P-Asserted-Service,P-Associated-URI, P-Called-Party-ID, P-Charging-Function-Addresses,P-Charging-Vector, P-DCS-Trace-Party-ID, P-DCS-OSPS, P-DCS-Billing-Info,P-DCS-LAES, P-DCS-Redirect, P-Early-Media, P-Media-Authorization,P-Preferred-Identity, P-Preferred-Service, P-Private-Network-Indication,P-Profile-Key, P-Refused-URI-List, P-Served-User, P-User-Database,P-Visited-Network-ID, Path, Permission-Missing, Policy-Contact,Policy-ID, Priority, Priv-Answer-Mode, Privacy, Proxy-Authenticate,Proxy-Authorization, Proxy-Require, Rack, Reason, Reason-Phrase,Record-Route, Recv-Info, Refer-Events-At, Refer-Sub, Refer-To,Referred-By, Reject-Contact, Relayed-Charge, Replaces, Reply-To,Request-Disposition, Require, Resource-Priority, Resource-Share,Response-Key, Restoration-Info, Retry-After, Route, RSeq,Security-Client, Security-Server, Security-Verify, Server,Service-Route, Session-Expires, Session-ID, SIP-ETag, SIP-If-Match,Subject, Subscription-State, Supported Suppress-If-Match, Target-Dialog,Timestamp, To, Trigger-Consent, Unsupported, User-Agent, User-to-User,Via Warning, and WWW-Authenticate.

Data Collector and Miner 225 also comprises timer components that trackmultiple timers associated with various components in the IMS network,including the following IMS nodes: SBC, Emergency Call Session ControlFunction (ECSCF), Breakout Gateway Control Function/Media GatewayControl Function (BGCF/MGCF), and PSAPs. The disclosed system uses thetimer components to help to detect when to take an action in response toa forked call. In addition, Data Collector and Miner 225 will initializethe Trts timer upon receiving an initial INVITE for a new call. RTMADS200 maintains a separate Trts for each forked call (or SIP INVITE) thatit receives. RTMADS 200 starts the timer from zero and tracks theduration of each INVITE to trigger decision module 245 if and whennecessary.

Telephony Parametric Analyzer 235 detects call anomalies and attacksbased on specific analysis criteria 240 and alerts decision module 245to take action. Telephony Parametric Analyzer 235 performs temporal andparametric analysis on data from real time stateful table 230 toidentify patterns that repeat over time and parameter values. TelephonyParametric Analyzer 235 also monitors the multiple timers maintained bythe disclosed system and facilitates the taking of actions based ontimer criteria. For example, in an embodiment, the disclosed system maytake action when Trts<T (configured timer values on all IMS nodes towait for INVITE response). In this example, the disclosed system ensuresthat any action taken by RTMADS 200 must be taken before the timerexpiration of any other nodes in the IMS network. Otherwise, expirationof the timer could trigger one or more of the nodes into action.

Decision Module 245 is a collection of standardized and compliantdecision functions that are executed based on the decision criteria 250and the specifics of the attack involved, as explained in more detailherein. The decision matrix is adapted to send one or more alarms 255,initiate calls 260, or terminate calls 265, as also described in moredetail herein. In addition, Decision Module 245 may request additionalinformation from call probe 275 in circumstances where more specificcall data is needed in order to make a decision regarding an incomingcall.

FIG. 3 represents a flow chart 300 for making a call handling decisionin a RTMADS in accordance with embodiments herein. In the embodiment ofFIG. 3, RTMADS processing of a call results in one of four possibledecisions. In Decision Call Flow 1, RTMADS allows an incoming call to besetup using dedicated PSAPs (i.e., using the existing IMS network). InDecision Call Flow 2, RTMADS alerts an OAM team to make a decisionregarding the incoming call. In Decision Call Flow 3, RTMADS allows anincoming call to be setup using a backup PSAP. In Decision Call Flow 4,RTMADS accepts and terminates the incoming call. The decision path forreaching each of these decision call flows is discussed in more detailbelow.

Decision Call Flow 1

In the embodiment of FIG. 3, Decision Call Flow 1 (step 325) is reachedin instances including when relatively little or no congestion exists onthe IMS network, when an emergency call is successfully accepted by theIMS network, and when the emergency call can be setup using dedicatedPSAPs. RTMADS Decision Process Flow 300 illustrates embodiments in whichDecision Call Flow 1 may be reached. In particular, the disclosed systemreceives an emergency call (step 300) and passes the received emergencycall to an SBC (step 305). Upon receiving the emergency call, the SBCforks the received call (e.g., by forking an SIP INVITE requestassociated with the emergency call) to both the IMS network (step 310)and the RTMADS (step 315). Upon forking the emergency call to the IMSnetwork and the RTMADS, the system starts a timer that is associatedwith an expiration time Trts that is used to gauge the level oncongestion on the IMS network. At step 320, if the IMS network acceptsthe emergency call before the timer expires (i.e., before the timeelapsed reaches Trts), then the system determines that Decision CallFlow 1 has been reached. Decision Call Flow 1 also may be reached if theRTMADS receives a CANCEL from the SBC before the timer expires (step330). In instances where Decision Call Flow 1 is reached, the emergencycall is processed in a typically normal fashion such that the emergencycall setup is performed using dedicated PSAPs (i.e., using the existingIMS network). Additional details regarding Decision Call Flow 1 areprovided below in reference to the call flow diagram of FIG. 4.

Decision Call Flow 2

In the embodiment of FIG. 3, Decision Call Flow 2 (step 345) is reachedin instances when there is relatively moderate to severe congestion inthe IMS network and no backup PSAPs are available. RTMADS DecisionProcess Flow 300 illustrates embodiments in which Decision Call Flow 2may be reached. At step 330, if the RTMADS does not receive a CANCELfrom the SBC before the timer expires, then the system determineswhether any other emergency telephone calls are currently active (step335). If the system determines that no other emergency calls are active,the system then determines whether one or more backup PSAPs areavailable (step 340). If the system determines that no backup PSAPs areavailable, then Decision Call Flow 2 is reached. Decision Call Flow 2also may be reached when the system determines that one or more otheremergency calls are active (step 335), that the emergency call passesspoof/robocall filter criteria (step 355), and that no backup PSAPs areavailable (step 360). When Decision Call Flow 2 is reached, thedisclosed system is adapted to provide an alert (for example, an alertto an OAM team) to determine what action is appropriate (e.g.,processing the emergency call using a backup PSAP or terminating theemergency call). Additional details regarding Decision Call Flow 2 areprovided below in reference to the call flow diagram of FIG. 5.

Decision Call Flow 3

In the embodiment of FIG. 3, Decision Call Flow 3 (step 350) is reachedin instances when there is relatively moderate to severe congestion inthe IMS network and one or more backup PSAPs are available. RTMADSDecision Process Flow 300 illustrates embodiments in which Decision CallFlow 3 may be reached. At step 330, if RTMADS does not receive a CANCELfrom the SBC before the timer expires, then the system determineswhether any other emergency telephone calls are currently active (step335). If the system determines that there are no other emergency callsactive, the system then determines whether one or more backup PSAPs areavailable (step 340). If the system determines that one or more backupPSAPs are available, then Decision Call Flow 3 is reached. Decision CallFlow 3 may also be reached when the system determines that one or moreother emergency calls are active (step 335), that the emergency callpasses spoof/robocall filter criteria (step 355), and that one or morebackup PSAPs are available (step 360). When Decision Call Flow 3 isreached, the disclosed system is adapted to perform call setup for theemergency call using backup PSAPs. Additional details regarding DecisionCall Flow 3 are provided below in reference to the call flow diagram ofFIG. 6.

Decision Call Flow 4

In the embodiment of FIG. 3, Decision Call Flow 4 (step 365) is reachedin instances when there is relatively moderate to severe congestion inthe IMS network and the system determines that the emergency call ispart of an attack on the emergency call system (e.g., a malicious attackor denial of service attack). RTMADS Decision Process Flow 300illustrates embodiments in which Decision Call Flow 4 may be reached. Atstep 330, if RTMADS does not receive a CANCEL from the SBC before thetimer expires, then the system determines whether any other emergencytelephone calls are currently active (step 335). If the systemdetermines that one or more other emergency calls are active, the systemthen determines whether the emergency call passes spoof/robocall filtercriteria that is maintained by the RTMADS (step 355). If the systemdetermines that the emergency call does not pass spoof/robocall filtercriteria, then Decision Call Flow 4 is reached. When Decision Call Flow4 is reached, the disclosed system is adapted to accept and thenterminate the emergency call. Additional details regarding Decision CallFlow 4 are provided below in reference to the call flow diagram of FIG.7.

FIG. 4 is a sample call flow diagram for arriving at Decision Call Flow1 in accordance embodiments herein. At step 1, Mobile Device 405transmits INVITE (sos-um) towards SBC 410. At step 2, SBC 410 transmitsINVITE (sos-um) towards E-CSCF 415. At step 3, SBC 410 transmits INVITE(sos-um) towards RTMADS 420, and the system starts timer RTS. At step 4,location and routing information retrieval occurs between E-CSCF 415 andGateway Mobile Location Center (GMLC) 430. At step 5, SBC 410 transmits100 TRYING message towards Mobile Device 405. At step 6, location androuting information retrieval occurs between RTMADS 420 and GMLC 430. Atstep 7, E-CSCF 415 transmits INVITE towards BGCF/MGCF 425. At step 8,BGCF/MGCF 425 transmits INVITE towards one or more Dedicated PSAPs 435.At step 9, one or more dedicated PSAPs 435 transmits 200 OK towardsBGCF/MGCF 425. At step 10, BGCF/MGCF 425 transmits 200 OK towards E-CSCF415. At step 11, E-CSCF 415 transmits 200 OK towards SBC 410. At step12, SBC 410 transmits 200 OK towards Mobile Device 405. At step 13, anacknowledge (ACK) message is transmitted between Mobile Device 405 andone or more dedicated PSAPs 435. At step 14, a Real-time TransportProtocol (RTP) message is transmitted between Mobile Device 405 and oneor more dedicated PSAPs 435. At step 15, SBC 410 transmits CANCELmessage towards RTMADS 420. In the depicted embodiment, the CANCELmessage reaches RTMADS before the RTS timer expires, thereby indicatingsuccessful emergency call processing. As a result, the RTMADS terminatesthe forked call session. At step 16, RTMADS 420 transmits 200 OK towardsSBC 410. At step 17, RTMADS transmits 487 Request Terminated messagetowards SBC 410. At step 18, SBC 410 transmits ACK message towardsRTMADS 420.

FIG. 5 is a sample call flow diagram for arriving at Decision Call Flow2 in accordance embodiments herein. At step 1, Mobile Device 505transmits INVITE (sos-um) towards SBC 510. At step 2, SBC 510 transmitsINVITE (sos-um) towards E-CSCF 515. At step 3, SBC 510 transmits INVITE(sos-um) towards RTMADS 520, and the system starts the RTS timer. Atstep 4, location and routing information retrieval occurs between E-CSCF515 and GMLC 530. At step 5, SBC 510 transmits 100 TRYING messagetowards Mobile Device 505. At step 6, location and routing informationretrieval occurs between RTMADS 520 and GMLC 530. At step 7, E-CSCF 515transmits INVITE towards BGCF/MGCF 525. At step 8, BGCF/MGCF 525transmits INVITE towards one or more Dedicated PSAPs 535. In thedepicted embodiment, the RTS timer expires upon no CANCEL message beingreceived from the SBC. RTMADS 520 detects that no backup PSAPs areavailable, and alerts the OAM team.

FIG. 6 is a sample call flow diagram for arriving at Decision Call Flow3 in accordance embodiments herein. At step 1, Mobile Device 605transmits an INVITE (sos-um) message towards SBC 610. At step 2, SBC 610transmits an INVITE (sos-um) message towards E-CSCF 615. At step 3, SBC610 transmits an INVITE (sos-um) message towards RTMADS 620, and thesystem starts the RTS timer. At step 4, location and routing informationand retrieval data is transmitted between E-CSCF 615 and GMLC 630. Atstep 5, SBC 610 transmits a 100 TRYING message towards Mobile Device605. At step 6, location and routing information and retrieval data istransmitted between RTMADS 620 and GMLC 630. At step 7, E-CSCF 615transmits an INVITE message towards BGCF/MGCF 625. At step 8, BGCF/MGCF625 transmits an INVITE message towards one or more dedicated PSAPs 635.In the embodiment of FIG. 6, the RTS timer expires upon not receiving aCANCEL message from the SBC. As a result, RTMADS 620 completes theemergency call through one or more backup PSAPs 640. At step 9, RTMADS620 transmits an INVITE message towards one or more backup PSAPs 640. Atstep 10, one or more backup PSAPs 640 transmits a 200 OK message towardsRTMADS 620. At step 11, RTMADS 620 transmits a 200 OK message towardsSBC 610. At step 12, SBC 610 transmits a 200 OK message towards MobileDevice 605. At step 13, an ACK message is transmitted between MobileDevice 605 and one or more backup PSAPs 640. At step 14, an RTP messageis transmitted between Mobile Device 605 and one or more backup PSAPs640. At step 15, SBC 610 transmits a CANCEL message towards E-CSCF 615in order to cancel the forked INVITE to the E-CSCF upon receiving a 200OK message from RTMADS 620.

FIG. 7 is a sample call flow diagram for arriving at Decision Call Flow4 in accordance embodiments herein. At step 1, Mobile Device 705transmits an INVITE (sos-um) message towards SBC 710. At step 2, SBC 710transmits an INVITE (sos-um) message towards E-CSCF 715. At step 3, SBC710 transmits an INVITE (sos-um) message towards RTMADS 720, and thesystem starts the RTS timer. At step 4, location and routing informationand retrieval data is transmitted between E-CSCF 715 and GMLC 630. Atstep 5, SBC 710 transmits a 100 TRYING message towards Mobile Device705. At step 6, location and routing information and retrieval data istransmitted between RTMADS 720 and GMLC 730. At step 7, E-CSCF 715transmits an INVITE message towards BGCF/MGCF 725. At step 8, BGCF/MGCF725 transmits an INVITE message towards one or more dedicated PSAPs 735.In the embodiment of FIG. 7, the RTS timer expires upon not receiving aCANCEL message from the SBC, and the system detects that an attack is inprogress.

At step 9, RTMADS 720 initially accepts the emergency call bytransmitting a 200 OK message towards SBC 710, which then transmits the200 OK message towards Mobile Device 705 (step 10). At step 11, SBC 710transmits a CANCEL message towards E-CSCF 715 to cancel the forkedINVITE to the E-CSCF upon receiving the 200 OK message from RTMADS 720.In some embodiments, Mobile Device 705 transmits an ACK message towardsSBC 701 (step 12), which in turn transmits the ACK message towardsRTMADS 720 (step 13). In other embodiments, RTMADS may not receive anACK message from Mobile Device 705 via SBC 710. In such embodiments,RTMADS 720 will terminate the session by sending a BYE message to SBC710 (step 14) after a predetermined period of time (e.g.,64*timer_expiry seconds). RTMADS 720 will also terminate the session ifit receives an ACK message in response to a BYE message. At step 15, SBC710 transmits the BYE message to Mobile Device 705. Mobile Device 705transmits a 200 OK towards SBC 710 (step 16), which then transmits the200 OK message towards RTMADS 720 (step 17).

Unless the context clearly requires otherwise, throughout thedescription and the claims, the words “comprise,” “comprising,” and thelike are to be construed in an inclusive sense, as opposed to anexclusive or exhaustive sense; that is to say, in the sense of“including, but not limited to.” As used herein, the terms “connected,”“coupled,” or any variant thereof means any connection or coupling,either direct or indirect, between two or more elements; the coupling orconnection between the elements can be physical, logical, or acombination thereof. Additionally, the words “herein,” “above,” “below,”and words of similar import, when used in this application, refer tothis application as a whole and not to any particular portions of thisapplication. Where the context permits, words in the above DetailedDescription using the singular or plural number may also include theplural or singular number respectively. The word “or” in reference to alist of two or more items covers all of the following interpretations ofthe word: any of the items in the list, all of the items in the list,and any combination of the items in the list.

The above Detailed Description of examples of the invention is notintended to be exhaustive or to limit the invention to the precise formdisclosed above. While specific examples for the invention are describedabove for illustrative purposes, various equivalent modifications arepossible within the scope of the invention, as those skilled in therelevant art will recognize. For example, while processes or blocks arepresented in a given order, alternative implementations may performroutines having steps, or employ systems having blocks, in a differentorder, and some processes or blocks may be deleted, moved, added,subdivided, combined, and/or modified to provide alternative orsubcombinations. Each of these processes or blocks may be implemented ina variety of different ways. Also, while processes or blocks are attimes shown as being performed in series, these processes or blocks mayinstead be performed or implemented in parallel, or may be performed atdifferent times. Further any specific numbers noted herein are onlyexamples: alternative implementations may employ differing values orranges.

The teachings of the invention provided herein can be applied to othersystems, not necessarily the system described above. The elements andacts of the various examples described above can be combined to providefurther implementations of the invention. Some alternativeimplementations of the invention may include not only additionalelements to those implementations noted above, but also may includefewer elements.

Any patents and applications and other references noted above, includingany that may be listed in accompanying filing papers, are incorporatedherein by reference. Aspects of the invention can be modified, ifnecessary, to employ the systems, functions, and concepts of the variousreferences described above to provide yet further implementations of theinvention. When statements or subject matter in an incorporated byreference conflict with statements or subject matter of thisapplication, then this application shall control.

These and other changes can be made to the invention in light of theabove Detailed Description. While the above description describescertain examples of the invention, and describes the best modecontemplated, no matter how detailed the above appears in text, theinvention can be practiced in many ways. Details of the system may varyconsiderably in its specific implementation, while still beingencompassed by the invention disclosed herein. As noted above,particular terminology used when describing certain features or aspectsof the invention should not be taken to imply that the terminology isbeing redefined herein to be restricted to any specific characteristics,features, or aspects of the invention with which that terminology isassociated. In general, the terms used in the following claims shouldnot be construed to limit the invention to the specific examplesdisclosed in the specification, unless the above Detailed Descriptionsection explicitly defines such terms. Accordingly, the actual scope ofthe invention encompasses not only the disclosed examples, but also allequivalent ways of practicing or implementing the invention under theclaims.

To reduce the number of claims, certain aspects of the invention arepresented below in certain claim forms, but the applicant contemplatesthe various aspects of the invention in any number of claim forms. Forexample, certain aspects of the disclosed system be embodied as ameans-plus-function claim, or in other forms, such as being embodied ina computer-readable medium. (Any claims intended to be treated under 35U.S.C. § 112(f) will begin with the words “means for”, but use of theterm “for” in any other context is not intended to invoke treatmentunder 35 U.S.C. § 112(f).) Accordingly, the applicant reserves the rightto pursue additional claims after filing this application to pursue suchadditional claim forms, in either this application or in a continuingapplication.

I/we claim:
 1. A computer-readable medium storing instructions that,when executed by a processor, perform a method to detect and mitigate anattack on emergency communication services, the method comprising:receiving an incoming call from an ingress node in an Internet ProtocolMultimedia Subsystem (IMS) network, wherein the incoming call isdestined for a Public Safety Answering Point (PSAP); and, routing thereceived incoming call to an IMS network component and a decisionserver; wherein the decision server in the IMS network considers one ormore parameters associated with the incoming call received at theingress node, wherein the decision server is configured to detectattacks on emergency telephone services, and wherein the decision serverdetermines an action to be taken with respect to the incoming call,wherein the determination is made based at least on the one or moreparameters.
 2. The computer-readable medium of claim 1, wherein theingress node is a Session Border Controller (SBC).
 3. Thecomputer-readable medium of claim 1, wherein the determined action callis performing call setup using a dedicated PSAP.
 4. Thecomputer-readable medium of claim 1, wherein the determined action isproviding an alert to an operator.
 5. The computer-readable medium ofclaim 1, wherein the determined action is performing call setup using abackup PSAP.
 6. The computer-readable medium of claim 1, wherein thedetermined action is terminating the incoming call.
 7. Thecomputer-readable medium of claim 1, wherein the routing comprisestransmitting an SIP INVITE message to the IMS network component and thedecision server, and further wherein the action to be taken is performedonly if the decision server does not receive a cancellation request fromthe IMS network.
 8. A method to detect and mitigate an attack onemergency communication services, the method comprising, the methodcomprising: receiving an incoming call from an ingress node in anInternet Protocol Multimedia Subsystem (IMS) network, wherein theincoming call is destined for a Public Safety Answering Point (PSAP);and, routing the received incoming call to an IMS network component anda decision server; wherein the decision server in the IMS networkconsiders one or more parameters associated with the incoming callreceived at the ingress node, wherein the decision server is configuredto detect attacks on emergency telephone services, and wherein thedecision server determines an action to be taken with respect to theincoming call, wherein the determination is made based at least on theone or more parameters.
 9. The method of claim 8, wherein the ingressnode is a Session Border Controller (SBC).
 10. The method of claim 8,wherein the determined action to be taken is performing call setup usinga dedicated PSAP.
 11. The method of claim 8, wherein the determinedaction to be taken is providing an alert to an operator.
 12. The methodof claim 8, wherein the determined action to be taken is performing callsetup using a backup PSAP.
 13. The method of claim 8, wherein thedetermined action to be taken is terminating the incoming call.
 14. Themethod of claim 8, wherein the routing comprises transmitting an SIPINVITE message to the IMS network component and the decision server, andfurther wherein the action to be taken is performed only if the decisionserver does not receive a cancellation request from the IMS network. 15.A system adapted to detect and mitigate an attack on emergency services,the system comprising: a memory; and a processor coupled to the memory,wherein the system is further configured to: receive an incoming callfrom an ingress node in an Internet Protocol Multimedia Subsystem (IMS)network, wherein the incoming call is destined for a Public SafetyAnswering Point (PSAP); and, route the received incoming call to an IMSnetwork component and a decision server; wherein the decision server inthe IMS network considers one or more parameters associated with theincoming call received at the ingress node, wherein the decision serveris configured to detect attacks on emergency telephone services, andwherein the decision server determines an action to be taken withrespect to the incoming call, wherein the determination is made based atleast on the one or more parameters.
 16. The system of claim 15, whereinthe determined action to be taken is performing call setup using adedicated PSAP.
 17. The system of claim 15, wherein the determinedaction to be taken is performing call setup using a backup PSAP.
 18. Thesystem of claim 15, wherein the determined action to be taken isproviding an alert to an operator.
 19. The system of claim 15, whereinthe determined action to be taken is terminating the incoming call.